Our talk is about forensic fails. I'm this guy over here. I founded an e-discovery company
about 11 years ago. I'm a forensic examiner. I have done thousands and thousands of exams.
I'm also an expert witness in state, federal court, et cetera. And I like cats. And my
name is Eric Roby. All right. About this other guy. Hi, I'm Michael Perklin. You may
remember me from other DEF CON talks such as ACL steganography. I'm a forensic examiner,
cyber crime investigator, security professional. I've also done thousands of exams. And I like
to break things. A lot.
Thank you.
Don't break my cat. All right. So our agenda today, we have got seven amazing
stories full of fail. We're going to learn something about forensic techniques because
that's what we do. And the fails today are brought to you by both the suspect and the
examiner. And we'll get into that in a little bit. The names have been changed to protect
the idiots on both sides. We've actually changed some of the facts to protect the idiots. And
it seemed like a good idea.
And it's a good thing to do, basically. But because fail was not just one dimensional,
we found many dimensions of fail in our research. We've decided we need to create a fail matrix.
To explain how the ‑‑ so this is just ‑‑ I'm just going to explain how the fail matrix
works. The first level of fail is the user retard level. Oh, my God. I spelled that wrong.
Drink. Drink. Drink. For the record, he was responsible for the keynote presentation,
so this is definitely his fail. This is my fail. I get ten points. The punishment
level depends on what happens. This particular guy lost the case. Dollars distressed cause.
Let's give this one five points. Bonus points are just whatever the fuck I feel like doing.
His girlfriend left him in this case, so he gets 35 points.
Let's get into the first one. This is the it wasn't me defense. You may have heard this
one before. We do a lot of commercial litigation. A really typical kind of case is a trade secrets
case. This is a typical example of that. This guy, Bob, he was working in sales at Acme.
He resigned his position and decided to go work for a competitor. This happens all the
time. And some allegations were made by his employer that he took some trade secrets.
He took the customer list with him to his new company. It happens. So Bob says, I got
nothing to hide. Come at me, bros. He didn't exactly say that, but it sounded good. I'm
paraphrasing. So we started imaging the drive and we started planning the examination. We
look for deleted files in unallocated space. And unallocated space is the part of the drive
that can typically contain deleted files. So it's, you know, when you hit shift delete
and it doesn't go away, it ends up in unallocated space. So we will look for stuff there. Something
we also do is we look for recently used files by common programs like Word, Excel, Acrobat
and so forth. And we might look for USB device insertion. We're basically looking to see
how trade secrets got from, you know, a computer to a computer. So we're looking for something
like, you know, Acme over to the new company. Finally the drive finished imaging. And I'm
actually going to share something really cool today. It's a DEF CON exclusive, worldwide
premier. We found a new wiping pattern.
This is actually real.
I'm not making this up. This is real.
So you know, Bob apparently had used some kind of data destruction program that can
overwrite every bit of space in unallocated space. He used a pattern that, however, was
not really commonly used by Windows or any of the other utilities I've seen. Might have
been something custom. So, you know, I thought, hmm, this might suggest something bad was
happening here.
Let's, you know, let's see.
So, let's take another closer look at this.
.
So we're going to look at this on a molecular level now.
.
I think we need to zoom in a little bit more.
.
So what green leggings .
.
the second part there was no Sarah Palin in this case. So data destruction can almost
always be detected. Even if you don't use a repeating pattern, it's still detectable.
We see it all the time. There's artifacts left behind that could be part of the pattern
or there's artifacts in the operating system itself. So we might not know what you've destroyed,
but we'll definitely know you destroyed something. Oops. This is the mic. Here you go. It doesn't
work very well. Mean phrases make people dislike you. What about your fail matrix?
We got to do the fail matrix. All right. All right. 12. Pretty retarded, I think. You know,
the guy lost the case. He got sued. Under $100,000, so not a huge amount of economic
distress and I didn't really give him any bonus points here because it just wasn't that
good. He gets 27.
I think we can blame that guy who gave me the beer. All right. So this case was a lot
of fun. I didn't expect it to be fun when I started out, but it ended up being a lot
of fun. I call it the Nickelback guy. You'll see why in a second. So it was another allegation
of stolen confidential data.
This guy, let's call him John, he left one company to go work for a direct competitor.
And his old company hired us to go in and take a look at his ‑‑ Can we get audio
for this, by the way? We're going to need audio for this segment. So if you could turn
it on. So, yeah, the company where he left, they asked us to take a look at his work
computer to look for signs of data exfiltration. He worked on a lot of confidential projects.
And they just wanted to make sure that he wasn't taking these confidential projects
to the competitor and letting them know what they were doing.
So right. I totally said all that. So we ‑‑ why is this not working? There it is. We opened
up the hard drive to start the analysis. And we started finding all the same stuff that
you typically find on a work computer. Yeah, there's some work stuff. Sure, some evidence
of Facebooking.
Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah.
We had an MP3 collection. He liked to listen to music while he was at work. Typical stuff.
We found the confidential documents that we were asked to make sure he didn't take. So
that was to be expected because he did the work on this ‑‑ on this computer. And
almost immediately something jumped out at me. And we'll get into why it jumped out
at me in a second. But his music collection became very interesting to me. Not because
I love Nickelback.
But because ‑‑ well, again, we'll get into this in a second.
That would be fail.
Yeah. And I'm Canadian, too. So I ‑‑ yeah, Nickelback's from Canada.
Yeah. If you take a closer look at this photo, something may jump out at you as well.
These are just MP3s. Just songs. But the size of these files is a little bit off.
What's wrong here?
Yeah. The extended play Nickelback. This guy really loved his Nickelback.
So these were actually a bunch of AVI files.
These were just AVI files that he had renamed. So it seems that John assumed nobody would
listen to his Nickelback MP3s, which is probably a good assumption, because I don't think anybody
would listen to his Nickelback MP3s. And he was hiding something. But what was he hiding?
Oh.
Pregger porn. This guy had quite a big fetish for pregger porn. These were full length feature
films of pregnant ladies banging. And there was a ton of them all over this guy's hard
drive. Well, we did have to analyze them to see
what they were. But I will say that the specific techniques
that we used to analyze, they're trade secrets. So I can't tell you how much depth we went
into when we were analyzing them. But, yeah, it seems John did a lot more than just work
on his confidential project on that computer. So we had to tell the company that over the
last three years, we've been working on a lot more than just the confidential project.
Three years while he was working there on this confidential project, he was also doing
other stuff. They were pretty happy that he left anyways.
All right. So what have we learned? Examiners, when we take a look at files on
a computer, we don't typically look at it in the nested folder structure. We don't have
to go into every single subfolder, go back out, go into other subfolders, back it out.
We see it all in a big, long list. It makes it a lot easier to analyze stuff.
Also, one of the very first things we always run is what's called a file signature analysis.
This is a special script that looks at the contents of every file and it compares what's
inside the file with the extension. And if there's any discrepancies, those files are
bumped up to the top of the list to be looked at because the system knows if these don't
match, something may not be right here. A human should take a look at this. I just said
those things. And so at the end of the day, John's attempt at hiding his privacy, his
tiger porn, actually made it bump up to the top of the list for me to take a look at.
So if you're going to hide something, don't just change a file name. That doesn't hide
something. That makes me want to look at it even more.
All right. So the fail matrix. The user retard level, I would say 12, because, again, renaming
a file is not data hiding. If you want to do real data hiding, you should have come
to my ECL steganography talk. Punishment level 13, he lost his job, not only the previous
company where he left. But the new company, he lost his job. He lost his job. He lost
his job there. Distressed cause was zero. Didn't really hurt anybody. I mean, what you
choose to do on your own time is up to you. Although he chose to do it on work time with
work stuff. You know what the bonus points are going to be for, don't you?
Yeah. There's going to be some bonus points, I would say about a nickel's worth.
So that would be just a grand total of 30, 50, 60, 70, 80, 100, 100, 100, 100, 100, 100,
100 fail points. All yours.
That is the fail sound. Thank you. By the way, do you like the font that we're using?
Comic Sans. Can I get a hand for Comic Sans? Nobody uses Comic Sans. It's the most underappreciated
font in presentations.
Yeah. I don't know why we don't see Comic Sans in more business settings. I mean, really.
We're bringing it back. We're bringing it back. It's a new movement.
All right. So let's look at the just bill me later case. So our client, the ABC firm,
they outsourced a key part of their business. They've been doing it for many years. And
the part of their business that they're outsourcing is on a time and materials basis. So there's
a lot of invoices with hours and rates and that's basically it. It was several million
dollars a year on average that was being billed. And our client started a review project because
they thought they were being overbilled. They thought there might be a little inflation
and they wanted to figure out why things were looking inflated. They looked at some
of the individual bills and they thought things were taking a little bit too long.
So we came in and we decided to help. So they had thousands and thousands and thousands
of PDF format invoices. Now that's not going to do us a lot of good. Even if we OCR'd,
even if we apply optical character recognition to it, we've still got a lot of unstructured
data. So I can't really ‑‑ I can search one or two PDFs but when I've got tens of
thousands of them, it's really difficult to do anything with that.
So where did we start?
We didn't have a lot of clues in this one. So through the magic of court order, we were
able to go to this customer's database, their network, and get an image of everything in
their network, including a billing database, which turned out to be very handy. So we made
a forensic copy of this database. And it was in a proprietary format. And so in order for
us to do forensic analysis in a database, we need to be able to get it into something
like SQL where we can ‑‑
Exactly.
So we migrated over, we do standard queries. And we're looking at it, and
there's still no easy way to compare the PDF to the database. So we decided to reverse
engineer the tables in the database. Sometimes it's easy, but sometimes there are thousands
and thousands of tables and when you don't have tech support or the developers, you just
have to figure it out. It's a really slow, laborious process. But we did figure it out.
We noticed that the audit logs were turned on in this, which happened to be particularly useful.
So we ran a lot of queries versus the time billed versus the audit logs and we found
there was sort of a pattern of inflation going on because basically when you're billing on
time and materials, all you're doing is you've got either hours or you've got a rate and
those are the two things and they got overly inflated.
So basically there's two things that you can change there.
You can change time or you can change the rate.
But we found the audit logs were turned off by default and the IT folks, bless the IT
folks, they turned the audit logs on which was really, really, really helpful because
we do a lot of database forensics cases and this is the only one we've seen where the
audit logs were turned on.
So we were able to compare basically the amount that was billed at the end of the day
versus how many hours were put on up to that point.
We were able to see a chronology.
So maybe at the end of the day the bill was for $1,000 but we saw there was only $800 that
was actually billed.
So the billing person, the database person who basically was working with it, this person
would change the hours and the rate sometimes and bump it up.
So it went up from, like, $800 to $1,000 on a typical invoice.
They did this thousands and thousands and thousands of times.
So let's look at the fail matrix.
So I didn't give the user retard level ‑‑ you know, too many people.
Eight points here because it was a billing administrator.
Most people don't really know what's going on inside a database, most average people.
However, they had to refund the money.
So they get 18 points for that.
Over the last, like, four or five years' worth of money.
So it was a lot of money.
It was about $12 million, actually.
So they get 15 points.
I wish.
And bonus points, eh, systematic culture of over billing.
They get 45.
Okay.
This next one, I call it smoking gun.txt.
If you work in the forensic arena, you've probably heard the term, the smoking gun.txt.
It's the gag name of what you're always looking for in a case.
It could be that record in a database.
It could be that Internet history record that shows that the guy really did something.
It comes from the cheesy western movies where the murderer's gun is still smoking after
he shot it.
It proves that he was the one who fired the shot.
So in forensics, you're always saying, oh, did you find the smoking gun?
Yeah, found the smoking gun.txt.
Sometimes I wish it's as easy as finding a file named smoking gun.txt, but you can
only wish.
This is another intellectual property case.
Again, you've got a guy leaving one company to go work for another company, and the first
company says.
Can you make sure he didn't do stupid shit?
And we called in to make sure that he didn't do stupid shit.
So we imaged the drive.
We kicked off our standard analysis scripts, like the file signature analysis script that
I told you guys about before, and opened up his desktop folder.
I always like to open up the desktop folder of every suspect that I'm examining because
you can tell a lot about what a guy ‑‑ a lot about the person when you're looking at
the desktop.
Do they cram a lot of files in there?
In an unorganized fashion?
Or maybe everything is neatly packed away in my documents folder?
Things like that.
Are they arranged nicely?
Or is it just all smattered?
It tells you a little bit about the person so you can get a little bit into the mind
of who they are.
And immediately I solved the case.
How did you do that?
So well, this is the smoking gun.txt.
It was almost as easy as this.
With a barbeque?
No, sorry.
I opened up the desktop folder and I saw this.
I'm hoping you can see that in the back, but I'll read it out for you.
You've got a folder on the desktop.
You can see at the bottom left there.
The folder is called competitive intelligence.
And inside that folder we've got a PowerPoint presentation titled project blue book.
We've got some PDFs.
We've got a whole bunch of stuff about this project blue book that this guy was working.
He was getting ready to deliver this presentation to the executive leadership team of the new
company telling them everything about this confidential project from his old company.
Yeah.
He didn't even make it difficult for me.
Not only all this stuff was there, but he made a PowerPoint presentation describing
it to deliver all the knowledge for this to the ELT.
Yeah.
Okay.
I just said that.
Did we overbill for this?
We're not the last client.
All right.
Pardon me?
I don't even remember.
Probably ‑‑ well, it took 20 minutes, so we probably just billed one hour.
Michael, what have we learned in this case?
Well, we learned that sometimes people don't work.
Even try.
Fail matrix.
All right.
User retard level has got to be an 18.
I mean ‑‑
You couldn't score it higher?
We could.
But we're saving the higher scores for some of the later stories.
Yeah.
So this guy ‑‑
Members are going up.
You may have noticed.
Yeah.
So far each one has been going up.
Yeah.
You got an 18 for user retard level because if you're going to be doing this, don't leave
tracks all over the place.
Over your computer.
I mean, sure, if you're going to say they're going to be launching this new thing in August
next year, that's one thing to say to a person.
But if you put together a whole presentation about the thing, that's fail.
That's fail.
Punishment level is a 10 because he had to settle.
He was obviously in breach of his NDA from the old company.
And it cost him 1.5 million in damages.
So the distress caused is a six pointer.
And bonus points of 12.
For zero effort.
This all adds up to the fail matrix score of 46.
All right.
Next story.
I hope you appreciate these amazing sound effects and video editing that I did.
Hold on.
We need to put the presentation on hold.
I have a problem.
Which one is which?
That one is mine on the left.
Your left hand.
Are you sure?
Because I want the one that is more.
Then the one with more is yours.
Nice.
Win.
We'll be taking questions later.
All right.
So the next one I call hiding in the cloud.
So once again a top sales guy leaves the company.
And the sales just take a nosedive, actually.
And they think he took the customer list, but they can't prove it.
They know that there's new customers.
They know that there's old customers over at the new company.
But they can't prove it.
They can't prove that he's taking the customer list.
So we image as a computer and we start looking for the usual kind of clues.
So for example, link files are a Windows artifact that show what files have been recently opened.
They're a simple text file and they're pretty easily parsed and they've got a lot of information
about the location of the file, the date and the time, all that kind of good stuff.
We look at a registry key, which I just love the name of this.
It makes absolutely no sense to me at all.
But, you know, somebody at Microsoft.
All right.
Microsoft maybe had a couple of these one day when they were working called bag MRU for
some unknown reason.
Most recently used.
But why bag?
You guys are just full of great answers.
.
Sure, we can explain why it's named that, but it's still a fucked up name.
Bag MRU?
Come on.
Anyway.
So it's a register key that can show user activity and it can show what files are inside
a folder.
So that's one of the things that we look at typically in a data exfiltration case.
It's a register key that can show user activity and it can show what files are inside a folder.
Jump lists, which are ‑‑ that's actually wrong.
From Vista forward we've got jump lists.
If you look ‑‑
That's a fail.
That is a fail.
That should say Vista.
I've got to take a drink.
Drink.
I just don't love Vista enough to put it in there, so ‑‑ anyway, so jump lists
are the thing on your task bar if you've got, like, five Word documents open and you see ‑‑
you know, you click on it, you've got the five.
Those are jump lists, basically.
And IE history, Internet Explorer.
Internet Explorer is so much more than just a folder.
It actually records things that you do without your knowledge, like opening files.
But we're getting no love.
I'm not finding anything.
Show me the love, baby.
He's having a beer.
All right.
So we searched the IE history.
And we found a .htm file that had some JavaScript in it pointing to files anywhere.
Who's familiar with that site?
It's very much like Dropbox, the same kind of concept, but it's more for business users,
so it's got a really ‑‑ a lot of really great audits.
So if you're uploading and downloading files, you can basically monitor and track them
and so forth.
That turned out to be a very nice thing, because typically that's only in the user control
panel.
But we found this little .htm file, and we solved the case.
Timing fail.
I'm sorry.
Bingo.
We solved the case.
All right.
So what we got was the account ID, the upload times, the file names, everything.
We got some sweet loving.
We got ourselves some stolen files.
Let's look at this little actual bit of JavaScript here.
I have changed the names of the file in this case, but, you know, we got stolen file, recipe
for Coke, for example, you know, just minor trade secrets.
The user is the user account name, so we were able to subpoena that from Files Anywhere
and figure out who actually registered the account.
There is the folder that it was in.
And this is really handy here, the date that it was uploaded.
And we got a whole bunch of these.
In fact, this is the first page of like an 80‑page Excel report that I prepared, and
these are all the file names that this guy uploaded.
So yeah.
So the second part of the story is ‑‑ I'm going to go back, another fail ‑‑ fail.
Which one do I drink from?
Yes.
Okay.
Good answer.
Good answer.
All right.
So the second part of the case, the opposing attorney, the guy representing the thief,
handed us an Outlook CD with an Outlook PST on it, and this is part of the discovery
process.
Discovery is a legal term in litigation where both sides are able to exchange evidence.
And, in fact, they have a ‑‑ they're compelled to exchange evidence through the rules of
the court.
So he gives us a CD, and it's got Outlook and Outlook PST on it.
The first thing we do is we look at ‑‑ there's not a lot of files in there, and the first
thing we do is we want to recover the deleted e‑mails in a PST, because we're forensic
analysts and that's what we like doing.
We like looking at people's e‑mails.
So I'm going to show you the old‑school way of recovering deleted e‑mails.
You use a hex editor, crack open the PST and you change bytes 7 through 12 or 7 through
13.
Change them to zeros.
Save the file.
Then you use the Outlook repair tool, which is built in with Microsoft, and you basically
repair the tool ‑‑ sorry, repair the PST, and what happens is you get a lot of
e‑mails back.
Now, these are not the actual e‑mails, but you get tons and tons of e‑mails back.
And, in fact, in this case, we got tens of thousands of deleted e‑mails.
And what was in these e‑mails?
Everything that completely turned the case around.
So not only did we have this guy with all the uploads on the spreadsheets, we also had
all the e‑mails about who was involved, what lists he took, who were the ‑‑ you
know, all the people that were involved.
We were winning.
We went to Charlie Sheen mode all of a sudden.
And the funny thing is we were able to take all this information and at a deposition,
and if you don't know what a deposition is, we get to ask questions of the opposing party.
So we're asking them, you know, what happened?
Did you guys steal anything?
Did you take anything?
No, no, no.
We start pulling out these e‑mails, one by one by one, and the guy turns white as
a sheet.
And he spills the beans.
And basically, you know, we do pretty well.
So who deleted the mails, do you think, in this case?
Hmm.
Call it out if you think you know who deleted them.
Wow.
People got it almost immediately.
Okay.
All right.
All right.
Thank you.
Thank you.
Thank you.
They hired Saul Goodman, unfortunately.
And, yeah, he deleted the mails.
Not a good thing.
Not a good thing.
So what did we learn?
Did he claim privilege on those emails?
The question was did he claim privilege on the emails?
He claimed privilege on some of them, but not on all of the 10,000 that he deleted.
So I think ‑‑ I think it was the other one.
The IE history is actually really difficult to wipe is what we've learned.
It seems to leave stuff behind.
We found a new artifact, which is actually pretty cool, files anywhere.
This JavaScript artifact.
I haven't heard this discussed anywhere before.
So I think it's kind of cool.
JavaScript files can give us love, too.
We like them.
And uploading files still leaves traces.
So an attorney shouldn't mess with evidence.
It's against the ethical rules in every state and probably every Canadian province, and
it can get you disbarred, actually.
So ‑‑ .
Well, let's look at the fail matrix.
So the user retard level is pretty damn high in this one.
We got fails on the attorney's part and also on the ex‑sales guy.
Huge lawsuit.
$3.5 million in fees and damages, which our client all got back, basically.
And 15 bonus points.
The attorney might lose his license on this one.
He hasn't yet.
We don't know.
We don't track that kind of stuff.
51.
We're moving up.
You ready?
Oh, right.
.
All right.
Let's do this shit.
So this next case was probably one of the most fun cases that I've worked on.
Right from the start I could tell that something was wrong.
It was going to be a fun one.
I call it the RDP bounce.
You'll see why.
I was called in to investigate a network breach.
The company told us and they shared some information with us that was evidence that at least one
computer had been breached.
They didn't know why.
They didn't know what.
And they asked us to investigate ‑‑ well, to tell them why and to tell them what.
It was a large company.
They had a lot of computers.
All of them were Windows‑based.
Thousands upon thousands of computers.
In offices all across the world.
And in one of their offices they noticed this computer had been breached.
So let's figure out what happened.
So we move in.
And actually I think I'm just going to pause here for two seconds.
Hey, Eric.
Is this your first time presenting at DEF CON?
Yes, it is.
Okay.
.
Thank you.
Thank you.
Thank you.
Thank you.
We don't even have to say anything anymore.
You guys know exactly what's going on.
Uh‑oh.
Is Sarah in the room?
Sarah?
Sarah.
Sarah.
Show yourself.
Oh, yeah.
Which Sarah?
Do you remember that name?
Yeah.
You, sir.
Is your name Sarah?
Start a board.
Start a board.
All right.
Bend over.
We thought Sarah was going to be here so we're just going to leave now.
You are the utmost.
ugliest Sarah ever. Finish that. Fail. Another soldier bites the dust. Winning.
Paul? Yes. Is there some issue about the sound person? No. Sarah is supposed to be the
sound person. Sarah is right here. You're talking about me, right? You know, I appreciate
that, Sarah, but we were looking for a different Sarah. Since she's not here, Sarah, would you
come up? Come on up. You're the next contestant on Will You Fail? Awesome. Thank you. Other
Sarahs get a contest. Oh, you already got one. Someone counted wrong. Here, pass one for
Sarah.
All right. I'm sort of double. I'm Sarah and so is my wife. I'm sure all of you want to be
Sarah right now. We already have Sarah Palin in the talk. To our new speakers and to our
new attendees.
Thank you. Thank you.
Two more this hour.
All right. We have 15 minutes left.
Thank you very much, goons, for doing that. It's Eric's first time at DEF CON.
All right. So I was talking about the RDP bounce case that I was investigating. Now, as I
mentioned, thousands of computers, various offices all around the world. So we ended up with a
computer that they knew was breached. And it showed that RDP, or Remote Desktop Protocol,
this is the tool that's built into Windows that allows you to remotely control another computer.
Some logs showed us that RDP was used to connect using the local administrator password to
another machine. It also showed that ‑‑ actually I said that backwards. It showed that RDP
was used to connect in and it also showed that RDP was used to connect out. So in this little
diagram here, I was looking at the middle computer. I didn't know at the time that there
were other computers. I was just looking at this middle one. And it seemed that there were a
bunch used in here. So it was probably the tip of the iceberg.
Where do you find these logs, Michael?
Specifically, I was looking at the Windows event log, the event viewer. If you go into the
control panel and then the administrator tools, there's the event viewer tool. By default, it
logs a lot of stuff in there, including when RDP is used to connect in and when RDP is used to
connect out. So I analyzed that ‑‑ the machine that came before it, and same thing.
There were logs that showed that somebody was connecting into that. It was basically an entire
bounce. Now, these computers were located in different offices all around the world. This
guy was bouncing all around the world to do something. So obviously this is a pattern. I
still didn't know what he was doing. I just knew that he was clearly going through a lot of
trouble to obfuscate his trail, bouncing all around, probably so that when he does hit his final
target, there's no direct evidence to where he was coming from.
Were they sessions within sessions?
Yes. They were all sessions within sessions. So he opens up a remote desktop, and then within
that remote desktop window, he opens up another remote desktop to another machine. And he just did
this over and over. It must have taken him hours, because remote desktop is not the fastest
protocol at all. So he must have ‑‑ I don't even want to speculate how long it took him to do
this.
Can you imagine how long the screen redraw was by the time you get to, like, machine 10?
Jesus Christ. You probably have to double click with, like, a minute in between clicks or
something. All right. So what was the target? So I think you can all figure out what I would do
next. Rather than following the trail back, I started following the trail forward. What was he
getting? So step after step, computer after computer, site after site after site, all around
the world.
So once I reached a high profile machine, I wish I could tell you which specific machine it
was. I can't, because it would give away too much about this company.
Did it have Nickelback on it?
It did not have Nickelback on it.
Choppiest video ever.
Yeah, choppiest video ever, for sure. So once I reached this machine, I knew exactly what he was
going after. He wanted highly confidential documents that were only on this one machine in the entire
company.
And he obviously knew this, and he wanted to get into this machine to get these documents.
So I focused my analysis on this target machine, on this special confidential machine, and I
wanted to see what did they do. Specifically, which files did they take? And it took me only
about two minutes as I was analyzing this machine, and I identified the attacker immediately.
Now, he went through all around the world, and finally when I was taking a look at his target,
within two minutes, I found out who he was.
He used his own credentials on the machine?
He used his own credentials on the machine? No, he did not use his own credentials on the machine.
Any other guesses?
Emails to himself? Nope.
He stole his own file? Nope.
He stole his own file? Nope.
He did not check Facebook.
No, no shared drives. Why didn't I tell you what he did?
Michael, what did he do?
Printers.
Printers.
So one thing that a lot of people don't know about remote desktop is by default it maps the printer
connected to your machine to the machine that you're connecting out to.
It does this so that when you hit print inside your remote desktop window, your printer next to you
is available so you can print a document beside you.
Now, this guy didn't print any documents, but just by connecting, the machine automatically mapped
his local printer to the target machine, which identified his machine name.
He forgot to turn this off.
There is a check box in remote desktop protocol.
When you open up the RDP window, you can hit options and then uncheck map printers to target machine.
It's just a check box.
He did not uncheck it.
Yeah.
What have we learned, Michael?
Well, what have we learned?
Log entries that are created by innocuous system events can give insight into user actions.
Now, he didn't map his printer.
The system did it automatically.
So sometimes just looking at what the system is doing can tell you what the user was doing.
For the fail matrix, user retard level would be about a 20 because he went through a lot of trouble to cover his tracks and he did not cover his tracks.
Punishment level would be 15.
He lost his job.
He also lost his references.
He can't use that company as a reference anymore.
So distress cause would be 8.
Bonus points would be 20.
Do some research.
If you're going to use RDP to pull off some kind of a scam, know how RDP works.
Adding it all up, we get a fail score of 63.
Now the last story.
Here, Eric.
All right.
So the last story is a little bit different than the other.
This is the epic porno fail.
So the difference in this one is all the other cases we've talked about have either been commercial litigation, civil litigation, something on that side.
This one happens to be a criminal case.
And from time to time we do criminal defense work.
And we work either with public defenders or with private attorneys.
And so this is about this kind of situation.
So our client, Edgar, has been charged with possession of contraband, AKA child porn in his case.
He claims innocence, as usual.
And I kind of roll my eyes because everybody always claims innocence.
And, you know, 98% of these people did it.
We examine the computer.
We looked at the examiner's report.
We looked at their allegations.
And let's take a look at them.
So they claim Edgar downloaded porn.
All right.
They claim that Edgar's user account had passwords.
And this is all documented right here.
And the report.
And they claim that Edgar utilized news groups to download porn.
Like, for real?
Who uses news groups to download porn?
Anybody?
Anybody?
I think they have the web now.
Yeah.
News groups, right?
That guy?
I would believe.
All right.
So they allege that he downloaded illegal porn.
No.
Keep this in mind as we go through the talk.
He left his house in April 2012.
His wife kicked him out because of all this stuff happening, basically.
So April 2012.
Keep that in mind.
So let's look when we examine the computer.
Let's see what we came up with.
So first we looked at IE history.
And as I mentioned before, IE history is able to show you when a file has been opened.
So this is an actual example.
I've changed the file name a little bit here.
And what was the date that I just mentioned?
April 2012.
Okay.
I see some dates here.
Are these before or after April 2012?
Put up your hand if it's after.
Yeah.
So all right.
One fail here.
Let's look at his peer-to-peer software download folder.
So in the top there, I've got the path where these naughty files were downloaded.
And it's a pretty typical path.
These P2P programs change the file name to something else.
So it's like T dash something something something naughty file anyways.
I'm looking at the dates here again.
And Michael, do you have a calendar?
Give me a second here.
When is December?
It is after April.
It's after April.
Okay.
Just wanted to check.
We need to verify our forensic findings before we can publish them.
So, you know, we're verifying.
Oops.
I think.
Fail.
Fail.
Give me that beer.
All right.
So they also claim that he used Outlook Express, really, to download porn.
Outlook Express.
This is 2012, remember, folks.
Makes me wonder.
Did they even analyze this guy's machine?
Where are they coming up with this stuff?
We saw records of P2P, not Outlook Express.
Outlook Express.
All right.
In reality, yes, Outlook Express was on the machine, set up with an account called Pornolover.
Okay.
It was set up after Edgar moved out of the house.
And only headers were downloaded.
No content.
What do you mean by headers?
So a header is, if you're using Outlook Express, it is just the first part of the file.
The email is going to have the date, the send of the receiver, maybe the subject line,
maybe the first couple words.
But there was no content.
There was no photos in there.
Just headers.
With, you know, admittedly, porno names.
So they also, let's look at accusation number three.
They say his user account had a password.
And the inference is only Edgar was able to access it because there was a password.
Let's look at the password.
Maybe we can zoom in a little bit on this.
This is actually a really cool utility.
It's free.
It's called LCP.
I'll just go back to it for one second here.
It's a free utility.
It's really great for looking and seeing if there are passwords.
You can also use it to perform an attack.
Although it's not very good.
All right.
Let's go back to the examiner.
The P2P client was used to download porn.
The examiner didn't find that.
Into a new user account called porno lover.
Guess when.
After he moved out of the house.
So we submitted our report to the prosecutor.
It was like a five, ten page report.
Something like that.
And the government dropped the charges.
Years after they charged this guy.
They dropped the charges.
This does not ever happen really.
This is the first time.
I've done thousands of cases.
Hundreds of cases.
Thousands of exams.
I don't know how many.
It's never happened before.
And this is after the guy spent a huge amount of money on legal costs.
So to do all this.
I just want to give a thank you to Rob Lee.
Anyone know Rob Lee?
We use super timeline analysis to do a lot of this work.
Super timeline is a really amazing piece of software.
That will basically go through the computer.
And look at all the computer generated artifacts.
And put everything into a nice chronological sequence for you.
So a really awesome piece of software.
Definitely one of the best pieces of software I've used.
Yeah.
So.
The government interviews Edgar's friend.
The friend confesses.
The friend did it.
The friend was trying to get jiggy with Edgar's wife.
And he put the porn on the computer.
And the court clears Edgar's name.
They give him a finding of actual innocence.
And the court gives him a finding of actual innocence.
Never happens.
Yeah.
I've had many people claim innocence.
And this guy actually claimed innocence.
And he really was.
Yeah.
Rarely happens.
I've been to court a couple times where there's been acquittals.
And we didn't go to court on this one fortunately.
But we would have.
So what do we learn?
Base your conclusions upon actual evidence.
Find multiple artifacts backing up your allegations.
And I don't know where the password thing came from.
Tie it to a person.
And try to look at user activity that would tie specific events to a person.
So.
Remember the maximum you can get is 20 in any category.
However.
I've decided to break the rules a little bit for this one.
So examiner ineptness.
He gets five bonus points built in.
Right there.
Oh yeah.
The guy sued the city for millions of dollars.
And.
You know.
There might be a job security issue for somebody in this case.
Yeah.
I don't think that examiner is going to really have a job.
And 100 bonus points because the court finds the suspect innocent.
So.
Factually innocent.
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